From fb8fae0525bd8a7d8162858a5b5ad954bed6c49f Mon Sep 17 00:00:00 2001
From: qcqcqc <1220204124@zust.edu.cn>
Date: Fri, 24 Oct 2025 10:49:33 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BF=AE=E5=A4=8Drevoke=E7=AB=AF?=
 =?UTF-8?q?=E5=8F=A3=E7=9B=B8=E5=85=B3=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 es/aspects/oauth.js                           |  2 +-
 es/components/login/oauth/authorize/index.js  |  2 +-
 es/endpoints/oauth.js                         | 28 +++++++++++------
 lib/aspects/oauth.js                          |  2 +-
 lib/endpoints/oauth.js                        | 28 +++++++++++------
 src/aspects/oauth.ts                          |  2 +-
 src/components/login/oauth/authorize/index.ts |  2 +-
 src/endpoints/oauth.ts                        | 31 +++++++++++++------
 8 files changed, 64 insertions(+), 33 deletions(-)

diff --git a/es/aspects/oauth.js b/es/aspects/oauth.js
index dc5c457f3..528db2264 100644
--- a/es/aspects/oauth.js
+++ b/es/aspects/oauth.js
@@ -328,7 +328,7 @@ export async function authorize(params, context) {
                 oauthAppId: oauthApp.id,
                 applicationId: context.getApplicationId(),
                 userId: context.getCurrentUserId(),
-                scope: [scope || ""],
+                scope: scope === undefined ? [] : [scope],
                 expiresAt: Date.now() + 10 * 60 * 1000, // 10分钟后过期
             }
         }, {});
diff --git a/es/components/login/oauth/authorize/index.js b/es/components/login/oauth/authorize/index.js
index e0e80ce0d..72e84c2c8 100644
--- a/es/components/login/oauth/authorize/index.js
+++ b/es/components/login/oauth/authorize/index.js
@@ -136,7 +136,7 @@ export default OakComponent({
             }).then((result) => {
                 const { redirectUri } = result.result;
                 assert(redirectUri, 'redirectUri should be present in authorize result');
-                window.location.href = redirectUri;
+                window.location.replace(redirectUri);
             }).catch((err) => {
                 console.error('Error during OAuth authorization:', err);
                 this.setState({
diff --git a/es/endpoints/oauth.js b/es/endpoints/oauth.js
index 99a2cd0b5..fce6a7c6e 100644
--- a/es/endpoints/oauth.js
+++ b/es/endpoints/oauth.js
@@ -458,17 +458,26 @@ const oauthRevocationEndpoint = {
         }
         // 4. 撤销操作（无论找到与否，都返回 200，但如果找到则执行失效操作）
         if (tokenRecord) {
-            const pastTime = Date.now() - 1000;
-            // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
-            await context.operate("oauthToken", {
+            // const pastTime = Date.now() - 1000;
+            // // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
+            // await context.operate("oauthToken", {
+            //     id: await generateNewIdAsync(),
+            //     action: "update",
+            //     data: {
+            //         accessExpiresAt: pastTime,
+            //         refreshExpiresAt: pastTime,
+            //     },
+            //     filter: {
+            //         id: tokenRecord.id,
+            //     }
+            // }, {});
+            // 使用这个token的认证记录都撤销掉，在trigger里会自动设置 revokedAt
+            await context.operate("oauthUserAuthorization", {
                 id: await generateNewIdAsync(),
-                action: "update",
-                data: {
-                    accessExpiresAt: pastTime,
-                    refreshExpiresAt: pastTime,
-                },
+                action: "revoke",
+                data: {},
                 filter: {
-                    id: tokenRecord.id,
+                    tokenId: tokenRecord.id,
                 }
             }, {});
         }
@@ -484,5 +493,6 @@ const endpoints = {
     'oauth/access_token': oauthTokenEndpoint,
     'oauth/userinfo': oauthUserInfoEndpoint,
     'oauth/token': refreshTokenEndpoint,
+    'oauth/revoke': oauthRevocationEndpoint,
 };
 export default endpoints;
diff --git a/lib/aspects/oauth.js b/lib/aspects/oauth.js
index 4f8098860..0093af8ee 100644
--- a/lib/aspects/oauth.js
+++ b/lib/aspects/oauth.js
@@ -335,7 +335,7 @@ async function authorize(params, context) {
                 oauthAppId: oauthApp.id,
                 applicationId: context.getApplicationId(),
                 userId: context.getCurrentUserId(),
-                scope: [scope || ""],
+                scope: scope === undefined ? [] : [scope],
                 expiresAt: Date.now() + 10 * 60 * 1000, // 10分钟后过期
             }
         }, {});
diff --git a/lib/endpoints/oauth.js b/lib/endpoints/oauth.js
index 5294b7d8b..a7061f1f3 100644
--- a/lib/endpoints/oauth.js
+++ b/lib/endpoints/oauth.js
@@ -461,17 +461,26 @@ const oauthRevocationEndpoint = {
         }
         // 4. 撤销操作（无论找到与否，都返回 200，但如果找到则执行失效操作）
         if (tokenRecord) {
-            const pastTime = Date.now() - 1000;
-            // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
-            await context.operate("oauthToken", {
+            // const pastTime = Date.now() - 1000;
+            // // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
+            // await context.operate("oauthToken", {
+            //     id: await generateNewIdAsync(),
+            //     action: "update",
+            //     data: {
+            //         accessExpiresAt: pastTime,
+            //         refreshExpiresAt: pastTime,
+            //     },
+            //     filter: {
+            //         id: tokenRecord.id,
+            //     }
+            // }, {});
+            // 使用这个token的认证记录都撤销掉，在trigger里会自动设置 revokedAt
+            await context.operate("oauthUserAuthorization", {
                 id: await (0, uuid_1.generateNewIdAsync)(),
-                action: "update",
-                data: {
-                    accessExpiresAt: pastTime,
-                    refreshExpiresAt: pastTime,
-                },
+                action: "revoke",
+                data: {},
                 filter: {
-                    id: tokenRecord.id,
+                    tokenId: tokenRecord.id,
                 }
             }, {});
         }
@@ -487,5 +496,6 @@ const endpoints = {
     'oauth/access_token': oauthTokenEndpoint,
     'oauth/userinfo': oauthUserInfoEndpoint,
     'oauth/token': refreshTokenEndpoint,
+    'oauth/revoke': oauthRevocationEndpoint,
 };
 exports.default = endpoints;
diff --git a/src/aspects/oauth.ts b/src/aspects/oauth.ts
index 8c92e4c0e..f9ab7e5da 100644
--- a/src/aspects/oauth.ts
+++ b/src/aspects/oauth.ts
@@ -405,7 +405,7 @@ export async function authorize<ED extends EntityDict>(params: {
                 oauthAppId: oauthApp.id,
                 applicationId: context.getApplicationId()!,
                 userId: context.getCurrentUserId()!,
-                scope: [scope || ""],
+                scope: scope === undefined ? [] : [scope],
                 expiresAt: Date.now() + 10 * 60 * 1000, // 10分钟后过期
             }
         }, {})
diff --git a/src/components/login/oauth/authorize/index.ts b/src/components/login/oauth/authorize/index.ts
index 5e13b9d0b..d380d3097 100644
--- a/src/components/login/oauth/authorize/index.ts
+++ b/src/components/login/oauth/authorize/index.ts
@@ -155,7 +155,7 @@ export default OakComponent({
             }).then((result) => {
                 const { redirectUri } = result.result;
                 assert(redirectUri, 'redirectUri should be present in authorize result');
-                window.location.href = redirectUri;
+                window.location.replace(redirectUri);
 
             }).catch((err: Error) => {
                 console.error('Error during OAuth authorization:', err);
diff --git a/src/endpoints/oauth.ts b/src/endpoints/oauth.ts
index 1a12e21ea..e4b50a993 100644
--- a/src/endpoints/oauth.ts
+++ b/src/endpoints/oauth.ts
@@ -499,7 +499,7 @@ const oauthRevocationEndpoint: Endpoint<EntityDict, BackendRuntimeContext<Entity
 
         // 3. 查找令牌记录
         let tokenRecord = null;
-        const tokenProjection = {
+        const tokenProjection: EntityDict['oauthToken']['Selection'] = {
             data: { id: 1, code: { oauthAppId: 1 } },
             filter: {}
         };
@@ -518,18 +518,28 @@ const oauthRevocationEndpoint: Endpoint<EntityDict, BackendRuntimeContext<Entity
 
         // 4. 撤销操作（无论找到与否，都返回 200，但如果找到则执行失效操作）
         if (tokenRecord) {
-            const pastTime = Date.now() - 1000;
+            // const pastTime = Date.now() - 1000;
 
-            // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
-            await context.operate("oauthToken", {
+            // // 将 Access Token 和 Refresh Token 的过期时间都设为过去，使其立即失效
+            // await context.operate("oauthToken", {
+            //     id: await generateNewIdAsync(),
+            //     action: "update",
+            //     data: {
+            //         accessExpiresAt: pastTime,
+            //         refreshExpiresAt: pastTime,
+            //     },
+            //     filter: {
+            //         id: tokenRecord.id,
+            //     }
+            // }, {});
+
+            // 使用这个token的认证记录都撤销掉，在trigger里会自动设置 revokedAt
+            await context.operate("oauthUserAuthorization", {
                 id: await generateNewIdAsync(),
-                action: "update",
-                data: {
-                    accessExpiresAt: pastTime,
-                    refreshExpiresAt: pastTime,
-                },
+                action: "revoke",
+                data: {},
                 filter: {
-                    id: tokenRecord.id,
+                    tokenId: tokenRecord.id,
                 }
             }, {});
         }
@@ -548,6 +558,7 @@ const endpoints: Record<string, Endpoint<EntityDict, BRC<EntityDict>>> = {
     'oauth/access_token': oauthTokenEndpoint,
     'oauth/userinfo': oauthUserInfoEndpoint,
     'oauth/token': refreshTokenEndpoint,
+    'oauth/revoke': oauthRevocationEndpoint,
 }
 
 export default endpoints;
\ No newline at end of file